Client Alert: When Bad Actors Break into HHS Payment Management Services (“PMS”) Accounts – Lessons for Grantees in the Wake of Cyber Theft
The thousands of grant recipients that access their funds through the Department of Health and Human Services’ (“HHS”) Payment Management Services (“PMS”) are encouraged to assess their strategies to reduce cyber security risk in the wake of recently confirmed PMS security breaches. While incidents appear to be less than a dozen, each confirmed breach resulted in funds meant for grantees having been stolen directly from PMS.
HHS has issued guidance on Best Practices on HHS System Security, which addresses securing user access and protecting sensitive information in PMS and other HHS systems. The guidance is available here.
To protect your organization and payment system integrity, HHS recommends: (i) set role-based access controls; (ii) adopt a zero-trust policy; (iii) follow the principle of least privilege; (iv) inventory, update, and audit user accounts; and (v) educate and train system users.
If you detect suspicious or unauthorized activity posting to your organization’s PMS accounts, contact your PMS representative and your grant program officer immediately and implement an appropriate response in coordination with PMS and your funder, which may include conducting an internal investigation and cybersecurity audit, contacting law enforcement and notifying your insurance carrier promptly.
For questions concerning unauthorized grant payment system transactions, please contact Phillip A. Escoriaza, Senior Counsel, at 202.466.8960 or pescoriaza@feldesman.com.